Missing Authentication for Critical Function
CVE-2026-22731
Summary
Spring Boot applications with Actuator can be vulnerable to an Authentication Bypass vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot spring-boot-actuator and spring-boot-actuator-autoconfigure versions 4.0 through 4.0.3, 3.5 through 3.5.11 and 3.4 through 3.4.14. This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-306 - Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
References
Advisory Timeline
- Published
